[gentoo-dev] SearchSecurity.com: "Linux patch problems: Your distro may vary"

[gentoo-dev] SearchSecurity.com: "Linux patch problems: Your distro may vary"

[Wolfram Schlich]

Hi,

I just stumbled over an article from SearchSecurity.com which was linked to
in a heise newsticker posting that tries to analyze how fast distributions
react to security vulnerabilities:

	http://tinyurl.com/lplfb

Quick chart:

	Rank Distro                    Points/100
	---- ------------------------- ----------
	1.   Ubuntu                    76
	2.   Fedora Core               70
	3.   Red Hat Enterprise Linux  63
	4.   Debian GNU/Linux          61
	5.   Mandriva Linux            54
	6.   Gentoo Linux              39
	7.   Trustix Secure Linux      32
	8.   SUSE Linux Enterprise     32
	9.   Slackware Linux           30

Rank 6 out of 10 is not a great result -- at least we beat SUSE ;)

Any comments or thoughts about this?
Can we become better?
Are we maybe better than the author pretends?
Does the security team currently face serious problems that need to be
solved, be it inside or outside the security team?

I am just curious and would be glad to get some feedback :)
-- 
Regards,
Wolfram Schlich <wschlich@gentoo.org>
Gentoo Linux * http://dev.gentoo.org/~wschlich/
-- 
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] SearchSecurity.com: "Linux patch problems: Your distro may vary"

[Simon Stelling]

Wolfram Schlich wrote:
> Any comments or thoughts about this?
> Does the security team currently face serious problems that need to be
> solved, be it inside or outside the security team?

As far as I know large chunks of time get lost when waiting for maintainers and 
arch teams to do their work. I don't see how the security team could do much 
about this; except maybe giving them a yearly budget to travel around the world 
and slap people who seem to ignore security bugs.

-- 
Kind Regards,

Simon Stelling
Gentoo/AMD64 Developer
-- 
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] SearchSecurity.com: "Linux patch problems: Your distro may vary"

[Donnie Berkholz]

[-- Attachment #1: Type: text/plain, Size: 249 bytes --]

Wolfram Schlich wrote:
> Any comments or thoughts about this?

Read the comments here: http://lwn.net/Articles/193107/

In the future, please don't double-post to subscriber-only lists, very
few people can reply to both.

Thanks,
Donnie


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 252 bytes --]

Re: [gentoo-dev] SearchSecurity.com: "Linux patch problems: Your distro may vary"

[Carsten Lohrke]

[-- Attachment #1: Type: text/plain, Size: 800 bytes --]

As far as I'm aware the problem isn't the security team, but the reasons are:

1. slow/understaffed arch teams - and I suppose this is the biggest problem, 
as we need all security-wise supported¹ architectures stable, before a GLSA 
can be send out.

2. the amount of unmaintained stuff in the tree, no one cares for - see Sune's 
libwmf email

3. maintainer on vacation or for another reason inactive and didn't 
communicate that - no co-maintainer, no herd backing up, leaving everyone 
waiting.


This ranking of course does neither say anything about the quality of the 
fixes, nor does the severity Secunia applies to an issue necessarily match 
the our's or other distribution security teams.



Carsten


[1] http://www.gentoo.org/security/en/vulnerability-policy.xml

[-- Attachment #2: Type: application/pgp-signature, Size: 198 bytes --]

[gentoo-dev] Re: SearchSecurity.com: "Linux patch problems: Your distro may vary"

[Duncan]

Wolfram Schlich <lists@wolfram.schlich.org> posted
20060807114221.ALLYOURBASEAREBELONGTOUS.J1712@bla.fasel.org, excerpted
below, on  Mon, 07 Aug 2006 13:42:21 +0200:

> I just stumbled over an article from SearchSecurity.com which was linked
> to in a heise newsticker posting that tries to analyze how fast
> distributions react to security vulnerabilities:
> 
> 	http://tinyurl.com/lplfb
> 
> Quick chart:
> 
> 	Rank Distro                    Points/100 ---- -------------------------
> 	---------- 1.   Ubuntu                    76
> 	2.   Fedora Core               70
> 	3.   Red Hat Enterprise Linux  63
> 	4.   Debian GNU/Linux          61
> 	5.   Mandriva Linux            54
> 	6.   Gentoo Linux              39
> 	7.   Trustix Secure Linux      32
> 	8.   SUSE Linux Enterprise     32
> 	9.   Slackware Linux           30
> 
> Rank 6 out of 10 is not a great result -- at least we beat SUSE ;)

I saw the same article and was similarly unhappy.  One thing to note is
that the timings, AFAIK, are based on the release of the security
announcement for the distribution.  With Gentoo, as others have pointed
out, that means waiting for everybody to stabilize the update -- it's
actually in the tree days/weeks before that.

Realizing it's there for those who want it, well before the GLSA, is
useful, altho it doesn't particularly help our standing or make us look
that great.  I do know however, that as a ~arch user, most of the time
when I see a GLSA on the announce list, I check and I've had the fixed
version installed for a week or more.

For those who prefer stable, the above info can still be helpful.  As long
as you normally visit community sites such as LWN, which list security
announcements when they become public (an article is created at the
original announcement by the first distrib or the finder/upstream, then
updated as the various distribs do their own announcements), the ebuilds
are usually in the tree either at the moment of public announcement, or
within 24 to 48 hours, best I can tell.  There's nothing saying you have
to wait for the GLSA or even for stable keywording.  Once you see the
announcement, check the tree for the version in question, or the
changelog, as sometimes it's not a new version upstream so it's just a
Gentoo -rX revision.  You can then use package.keyword and etc. as
appropriate, to get the security update, even if you normally use stable,
days/weeks before the GLSA, and normally very soon after public
announcement.

-- 
Duncan - List replies preferred.   No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master."  Richard Stallman

-- 
gentoo-dev@gentoo.org mailing list

[gentoo-dev] Re: [gentoo-security] SearchSecurity.com: "Linux patch problems: Your distro may vary"

[Sune Kloppenborg Jeppesen]

[-- Attachment #1: Type: text/plain, Size: 1427 bytes --]

Hi there,

On Monday 07 August 2006 13:42, Wolfram Schlich wrote:
> Any comments or thoughts about this?
> Can we become better?
> Are we maybe better than the author pretends?
> Does the security team currently face serious problems that need to be
> solved, be it inside or outside the security team?
>
> I am just curious and would be glad to get some feedback :)
I saw the article a few days back and here is a short summary of what I think 
about it:

- I'm a bit disappointed with the result.

- The Security Team is short on staff so we're not as speedy as we once 
was :-/

- The scores are not weighted to take severity into account.

- No exact references are given to the vulnerabilities in question making it 
hard to check.

- Secunia release dates are not the same as Gentoo release dates as Secunia 
seldom work during weekends.

- Unstable uses usually get the fix hours or even days before the GLSA is 
issued.

- My own non-scientific research indicates that we're not that bad compared to 
other community distributions like Debian (at least when you compare the 
latest GLSAs with the high severity rating).

If you want to help out the Security Team and have some relevant skills please 
consult the link in my signature or send me a private email.

-- 
Sune Kloppenborg Jeppesen (Jaervosz)
Operational Manager
Gentoo Linux Security Team
http://security.gentoo.org

[-- Attachment #2: Type: application/pgp-signature, Size: 191 bytes --]